Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: koendb on June 21, 2014, 01:51:59 am
-
When I try to enable openchange account for users in other containers but the default container I get following message:
This addon applies only to users in the default 'Users' container
This does not make much sense to me :-)
-
I know, I said it before as its a McEnroe moment 'You can not be serious'
Means only a single group policy which negates the use of different group policies because your users cant have mail.
Daftest thing ever.
I have been saying this since 3.4 or was it 3.3. I just can't believe this is not seen as a priority!!!?
-
Is there a workaround for this problem ?
-
Still not fixed in 4.0!
-
This is a known issue, which I would not expect to see fixed in 4.0
-
This is a known issue, which I would not expect to see fixed in 4.0
So basically:
Zentyal is a drop-in replacement for Microsoft Small Business Server and Microsoft Exchange Server, that you can set up in less than 30 minutes.*
(*) Assuming you won't have to restructure your entire Active Directory to ensure all users are under the "Users" container.
-
Is there a workaround for this problem ??
-
Any updates on this?
This is a key thing to be resolved and should be in the highest priority.
Also, there is no option to move users between containers.!!
-
Hello:
In order to move users between containers, use RSAT. I don't think openchange software will be modified so it can be used with users from non-default OU's in short time
-
If you look at the view counter on that forum's topic list page, this issue is really popular.
If you plan to use group policies (as almost every Windows admin does) you have to move your user and computer objects into organizational units, because linking a GPO to a container (like CN=Users) is not possible.
If you want to use openchange on Zentyal you are forced to put your users into that CN=Users container which in turn does not allow you to use group policies for your users at all.
So you must decide if you want to have group policies OR openchange... This is completely crazy!
Why isn't anyone of the development staff answering this topic?
If this restriction is not removed soon, openchange is completely useless as a Microsoft Exchange replacement!
Just my opinion :(
EDIT: Can you please explain in detail where the TECHNICAL limitation is?
-
Hello:
I've heard of people which have successfully created groups under a specific OU, and created users on default container..
Moreover, Groups Polcies can be set up to apply to all domain but filter (security Filter) them using groups or even accounts
(http://www.infotechguyz.com/images/GroupPolicySecurityFilter.jpg)
-
Your suggestion is nice - for tiny environments where you have users and OUs which you can count on one hand.
In bigger environments where you have hundreds of users and dozens of OUs - each with different GPO settings it's just not possible to put every user into the same container.
GPO processing is also becoming awfully slow when using your approach in bigger environments.
Can you explain whether that's a specific technical limitation by Openexchange/SoGo or it's just a Zentyal restriction?
If it's possible to redirect that to just ONE primary OU where all the users and sub-OUs are residing - that would be really great.
Thank you
-
Hello:
this is a restriction imposed by current OpenChange code. I'm not sure how complex would it be to change to a specific OU
-
I'm still not sure if that's really the truth.
I searched all config files in /etc for "CN=Users" and modified:
/etc/sogo/sogo.conf
/etc/ocsmanager/ocsmanager.ini
and replaced CN=Users,DC=domain,DC=tld with DC=domain,DC=tld
After that I moved one of my test-environment-OU-users into the users-container and after sucessfully openchange-account-activation on the Zentyal webgui I moved that user back to another OU.
Everything is still working as expected so I doubt it's just a dumb restriction on the Zentyal WebGUI...
EDIT: I even restarted all services and the zentyal-server and it still works...
-
Good work seteq!
I'm using Zentyal for multidomain e-mail server only, in DMZ.
It' a mess to have all users from different domains in the same OU -> Users!
Now, thanks to you, maybe I will can create OU for each domain and move users accordingly.
I hope that these changes will be maintained in the event of changed files by updates.
I have a question for you, if you don't mind: my working version is 4.0.9.
Do you know if there are issues if I make upgrade to 4.1 from GUI (UPGRADE NOW button)?
Thank you in advance!
Gabriel
-
I think this thread has gone off the deep end. Nobody has hundreds and thousands of users on SBS. Unless you're using a pirated copy of the Enterprise Exchange server you're not over 100 users either. In both cases your hardware overhead is going to be somewhere close to how much Money Bill Gates gives to charity every year to be able to handle that much processing.
Zentyal (community edition) is a free solution because we are in essence beta testing for the paid solution. It is also a means of getting some folks with great minds together to play with what they have and find a means of expanding it.
In both SBS and Exchange you're going to have to create users and GPO's, why can't everyone just be inside the users group and you take a minute to create a couple of other security groups outside of it? You've obviously all read about Zentyal's ability to bulk import from an existing A.D. right? Probably not, but you can export your current A.D. to a CSV and import it right into Zentyal.
So, if you have hundreds and thousands of users inside a Microsoft A.D. a quick right click > Export List and then from your Zentyal box it's a tiny bit of scripting and done.
Nobody said that Zentyal is designed to digest an entire existing infrastructure, it's a replacement and I can set it up in 30 minutes. Further to that point I'm legally blind with 20/450 in my good eye so it's me, a magnifying glass and a screen. I've successfully moved 25 users from SBS 2008 to Zentyal 4.0. Including setting up the Zentyal 4.0 box, doing the research on moving users, exporting mailboxes to PST's, importing, moving user accounts and mounting the old Windows NTFS drive on my Zentyal box with everyone's "Redirected Folders" took me two days. Part of that time I was swimming with my kids, eating and sleeping so it's not really all that hard.
For the record, who in this thread got into their first SBS or Exchange box and had everything go the way they wanted it to? How many countless hours did all of us spend on the stupid TechNet Blog reading article after article? How many KB's have you had to install, revoe, patch, read, downgrade and most ways fight tooth and nail with?
I'm super happy with Zentyal and I've even been beating it up against ClearOS and Nethserver - I've gotta say that compared to all of the other options out there Zentyal is the best solution so far.
-
Who was talking about SBS? SBS is a totally different thing in my opinion. If you have been running a SBS server you'd better migrate to Office365 and save all that money instead of running your own servers. If you really need to run your servers by yourself Zentyal MAY be a possible solution.
I tried to evaluate Zentyal as an alternative for "real" exchange servers with 100+ users. Zentyal could really help to save a lot of costs for Exchange server licenses and CALs (Enterprise vs. Core CAL) and admins may reinvest that money to support open source software development. But in the current state Zentyal is not a Exchange server replacement in any way.
I'm glad that you are happy with it, but in my eyes Zentyal still doesn't deliver what it tries to promise...
-
I hope that these changes will be maintained in the event of changed files by updates.
I have a question for you, if you don't mind: my working version is 4.0.9.
Do you know if there are issues if I make upgrade to 4.1 from GUI (UPGRADE NOW button)?
Be warned: The modifications are for testing purposes only and not recommended for production environments.
Whenever you do domething on the GUI which forces a re-generation of your config files all your changes will be lost.
If you really need to make those change some sort of permanent, you'd better change the config file stubs:
/usr/share/zentyal/stubs/openchange/ocsmanager.ini.mas
/usr/share/zentyal/stubs/openchange/sogo.conf.mas
Then you may save your changes on the GUI and the config file regeneration will use the new values without CN=Users
But I think that these modifications may also be lost when you install the updates.
-
Thank you seteq for your reply.
Kind regards,
Gabriel
-
@setiq - Zentyal is really meant for guys like me who maintain an in-house server for a small office. Anything larger scale is going to have to be built from the ground up. That being said I've been orking on doing my own "Ubuntu Business Box" for a lot of different reasons.
So far I've only lost some hair over the deal, but I just installed Ubuntu 14 on a VM and at the end I picked to install SSH, Mail Server, DNS and I'm pretty sure that's it. Oh yeah I picked to install default LAMP too LoL.
Once it's all restarted I actually found a few pretty good tutorials on building Samba 4 from source to use it as a PDC with Bind9 DNS - so I got that most ways working.
Then you have to do some config changes to make all of your authentication stuff to use sassl (think I typed that right, pretty tired at present LoL).
Once that's all setup you can add a couple of test users into Samba and authenticate to the mail service (in theory).
Then you have to install SoGo and the Open Change Plug-in, both of which I haven't gotten to yet but it looks pretty in depth right now.
If you're interested in checking out more open source stuff there are ClearOS and Nethserver - both have free community editions. To run an Exchange replacement you have to buy Zarafa (maybe it's Zarifa) but it's like $10 to buy a license for that and I think you just need the 1 license per box. I liked ClearOS because it had a marketplace kind of deal but I had a rough go at using it because it's based on CentOS or Red Hat and I'm just learning Debian/Ubuntu so I had to walk away from it.
-
I hope that these changes will be maintained in the event of changed files by updates.
I have a question for you, if you don't mind: my working version is 4.0.9.
Do you know if there are issues if I make upgrade to 4.1 from GUI (UPGRADE NOW button)?
Be warned: The modifications are for testing purposes only and not recommended for production environments.
Whenever you do domething on the GUI which forces a re-generation of your config files all your changes will be lost.
If you really need to make those change some sort of permanent, you'd better change the config file stubs:
/usr/share/zentyal/stubs/openchange/ocsmanager.ini.mas
/usr/share/zentyal/stubs/openchange/sogo.conf.mas
Then you may save your changes on the GUI and the config file regeneration will use the new values without CN=Users
But I think that these modifications may also be lost when you install the updates.
hi
i have tried this solution but no matter the changes i make to those files , values shown in UI are still the same and i can't activate openchange for my users inside OUs.
can you please provide more about your recommendation?
-
This solution will not survive an upgrade from 4.1-4.2, it may not survive 4.1-4.1.4 either, but there is a solution! Go check out the Appendix B of the Zentyal Wiki:
https://wiki.zentyal.org/wiki/En/4.1/Appendix_B:_Development_and_advanced_configuration
Sorry it's not an actual link but I'm blind and I can never find that stupid insert hyperlink button anymore. It's actually a super cool setup that makes this much easier, you use Zentyal Stub Files to make the changes, which ironically have pretty much the same name. The secret is creating a directory /etc/zentyals/stubs - if and when you upgrade and there is a conflict with your custom stub file you just compare files between the default and your custom one, make appropriate changes and restart whatever service/module you just changed. It's actually pretty easy and survives - until Zentyals stops using stub files I guess LoL.
-
it is a good idea but the file i need to change is not in the stubs. it is /etc/sogo directory.
which gets regenerated, i am checking to find the stub file responsible for this.
actually i searched all files in stubs directory but none of them had "cn=users".
thnx
-
I'm guessing you'll at least get pointed in the right direction in:
/usr/share/Zentyal/stubs/openchange/apache-ocsmanager.conf.mas
That has references to the sogo side of things in a few places. I'd venture a guess that you'll find what you need inside the openchange directory.
What I did to figure out quite a bit of things was just drop a stub file in /etc/Zentyal/stubs/openchange (or whichever directory) and just start changing stuff. If it screwed up then I just deleted the file and made a note of what not to do LoL.
Of course the DC side of things is supposed to be managed by Samba, so maybe in the Samba stubs would be something. Now you've really got me thinking on this, so I'm going to tear some stuff apart in a minute here and see what I can figure out!
-
Perhaps:
https://github.com/zentyal/zentyal/blob/master/main/openchange/stubs/sogo.conf.mas
?
-
Is this the solution to preventing virtual domains from seeing other virtual domain calendars? Right now (in webmail at least) when subscribe to calendars are searched, the users from other VD's are shown in the list.
-
Hi Scott,
I use Zentyal for multidomain email server and I have the same problem. How I solved:
Edit "sogo.conf.mas":
nano /usr/share/zentyal/stubs/openchange/sogo.conf.mas
Here, modify in "/* LDAP authentication */" from YES to NO, like here:
1. For ADRESSBOOK:
id = sambaShared;
displayName = "Shared Addressbook";
canAuthenticate = NO;
isAddressBook = NO;
2. For CONTACTS:
id = sambaContacts;
displayName = "Shared Contacts";
canAuthenticate = NO;
isAddressBook = NO;
After modifications, you must restart the service or the entire system.
If there are updates/upgrades for SOGO or Openchange, after they are applied, you must modify again "sogo.conf.mas".
Unfortunately, I don't know how to do this to be permanent (I understand that can be copied "sogo.conf.mas" in a special location and the modifications will be permanent, but ...).
Kind regards,
Gabriel
-
Is this the solution to preventing virtual domains from seeing other virtual domain calendars? Right now (in webmail at least) when subscribe to calendars are searched, the users from other VD's are shown in the list.
Hi Scott,
Please read here: https://forum.zentyal.org/index.php/topic,24036.msg99630.html#msg99630 to make the modifications permanent, thanks to jbahillo.
-
Thanks Gabriel, I made the changes, however in webmail the user still gets all of the users in the search box.
I've also made the changes in the stubs for sogo and ocsmanager, but CN=users is still showing on the GUI and I can't enable openchange for non default users group users.
I'm running 4.2 that I downloaded and installed about a week ago, were there changes to prevent these items in this release?
How is the paid ISP version configured? I would expect it to work this way.
-
Thanks Gabriel, I made the changes, however in webmail the user still gets all of the users in the search box.
Hi Scott! You're welcome!
I just verify in my email account on webmail and I don't get users from other email virtual domains that I have on the server.
After this modifications in "sogo.conf.mas", in email account user interface you must have:
1. in Address Book: only "Personal Address Book" and "Collected Address Book".
2. in Calendar: only "Personal Calendar"
If you don't have only those from above, I think you must restart the server. It should work.
I've also made the changes in the stubs for sogo and ocsmanager, but CN=users is still showing on the GUI and I can't enable openchange for non default users group users.
I haven't made yet the changes recommended by seteq to enable openchange for non default users group users.
Theoretically should work. I have read docs from Sogo site. Sogo is capable to manage separate domains but here, on Zentyal, I think must be related modifications on Sogo, Openchange and maybe on Samba and Apache. I really don't know, just guess.
I'm running 4.2 that I downloaded and installed about a week ago, were there changes to prevent these items in this release?
I'm also running 4.2 (upgrade from 4.1).
The default location for "sogo.conf.mas" is: /usr/share/zentyal/stubs/openchange/sogo.conf.mas
The custom stub will be here: /etc/zentyal/stubs/openchange/sogo.conf.mas
How is the paid ISP version configured? I would expect it to work this way.
If you refer to Zentyal Cloud version, is made for separate domains and should be work in this way.
Zentyal Cloud -> Technical Features -> Multitenant: Complete isolation of client companies ...
-
Gabriel,
I looked again and did see the change to the address book & calendar lists. So it did work.
The behavior that I see is searching or sharing either from the webmail interface, you see the search results for all users regardless of the virtual domain when you are selecting the user to grant access or in searching for another user's address book/calendar. You still need to grant access to be able to open from another user. Is there a way to list only the users in the virtual domain here?
-
Gabriel,
I looked again and did see the change to the address book & calendar lists. So it did work.
The behavior that I see is searching or sharing either from the webmail interface, you see the search results for all users regardless of the virtual domain when you are selecting the user to grant access or in searching for another user's address book/calendar. You still need to grant access to be able to open from another user. Is there a way to list only the users in the virtual domain here?
Hi Scott,
AFAIK, there is no way to list only the users to belong to only one virtual domain (for Zentyal Server and/or Zentyal Server Development Edition), when you have multiple virtual domains. You can only have "everything or nothing". That is by design. Maybe I'm wrong but I don't think so.
As I said, maybe is possible but with a lot of changes, made by somebody who is really good.
If you want a free email server (but only email server) for complete separate domains, you can try iRedMail (Linux) or AXIGEN (Windows/Linux; the free version has some limitations: 100 email accounts distribuite for n domains, ...). Maybe there are more free email servers but I don't know.
BR,
Gabriel
-
I hope that these changes will be maintained in the event of changed files by updates.
I have a question for you, if you don't mind: my working version is 4.0.9.
Do you know if there are issues if I make upgrade to 4.1 from GUI (UPGRADE NOW button)?
Be warned: The modifications are for testing purposes only and not recommended for production environments.
Whenever you do domething on the GUI which forces a re-generation of your config files all your changes will be lost.
If you really need to make those change some sort of permanent, you'd better change the config file stubs:
/usr/share/zentyal/stubs/openchange/ocsmanager.ini.mas
/usr/share/zentyal/stubs/openchange/sogo.conf.mas
Then you may save your changes on the GUI and the config file regeneration will use the new values without CN=Users
But I think that these modifications may also be lost when you install the updates.
Hi Seteq,
Have tried modifying all referred config & ini files including stubs and also tried new stub locations. But
the file ocsmanager.ini is getting created despite even deleting it off, with the setting as (search of content CN=Users within /etc)
/etc/ocsmanager/ocsmanager.ini:basedn = CN=Users,DC=xxxxxx,DC=com
/etc/ocsmanager/ocsmanager.ini:basedn = CN=Users,DC=xxxxx,DC=com
Is there anything else I'm missing.?
Note: am on 4.2